Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607

I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021

The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

Cheekily the URL references a well-known security company. The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11

Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."

"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.

"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’

A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."

Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.

This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.

Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/

Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..

The email originates from 208.79.219.105 (Loose Foot Computing, Canada). This also happens to be the IP address of:

foocrypt.netmail0.foocrypt.net

So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..

Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.

The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:

enalakram.netfookey.netfookey.orgfoocrypt.net

The closest I can get to contact details is the WHOIS entry for fookey.org:

I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1][2][3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4][5][6] downloads a malware binary from the following locations:

Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

**Please note that this is an automatically generated email - replies will not be answered.

I have only seen one sample of this and the Cubby download page was showing quota exceed. However, the payload will be identical to the one found in this other Australian-themed spam running concurrently.

The names and the numbers change from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent.com (e.g. https://www.cubbyusercontent.com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download.

In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57.

Automated analysis tools [1][2][3][4][5] show that it downloads components from:

ebuyswap.co.uk/mandoc/muz3.rtfeastmountinc.com/mandoc/muz3.rtf

It then attempts to phone home to:

141.105.141.87:13819/3103us13/HOME/41/7/4/

That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip.dyndns.org. Although this is benign, monitoring for it can be a good indicator of infection.

These URL requests are typical of the Upatre downloader.

According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55 plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.

The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xlsBE75129513.xlsC39189051.xls

None of the three attachments are detected by anti-virus vendors [1][2][3]. They each contain a slightly different macro [1][2][3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1][2][3] show attempted communications with:

Tuesday, 22 January 2013

109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here.

Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com - in this case darkhands.com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands.com.

In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. Update:it seems that a single customer was compromised and the OrionVM issue has been resolved.

So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars).

Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group. The domains are:

Monday, 19 December 2011

Your order has now been dispatched and your DHL Express air waybill number is 9672834463.

To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/

IMPORTANT INFORMATION:

DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.

All orders must be signed for upon delivery.

Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.

Yours sincerely,

Customer Care
www.dhl.com

For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week

CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.

secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

Please take the time to follow the directions and complete the entire
application process.

Best Regards,

Rock Smith Management

careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.

Monday, 5 December 2011

This scam has been around for a while, it's part of a nasty cluster of scam sites that have an Australian connection.

The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.

Date: Sat, 3 Dec 2011 11:15:17 +0800From: "Ralph Nguyen" [mulattorcxf826@uncw.edu]Subject: Please Complete Your Job ApplicationDear ApplicantThank you for expressing your interest in open employment openings in your area.We are happy to inform you that our placement specialists will be reviewingavailable positions for you within the next hour.Based on your profile, you may qualify for opportunities currently available with a monthly salary in the$4000 to $8700 range.To maximize your earnings potential, please complete our full application form first:http://go.likejav.com/9bcf1fIn addition to a highly competitive base pay, applicants that qualify will also enjoy additional benefits such as:* 2 wks. paid vacation time (per annum);* Tuition allowance;* 401(k)* full benefits package* generous retirement planTo retain your priority placement, please complete your application at your earliest convenience.We look forward to finding the right job for you.Rockforce ManagementBringing the best candidates and the right jobs together.

The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here.

Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..

The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.

Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.

If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.

Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.

So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.

But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.

All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

In this case, the email originated from 200.74.5.198 in Chile. A second sample was from 31.175.175.182 in Poland.

Clicking through the "widg.me" shortcut leads to a site called rockcruitmanagement.com which looks like a recruitment site at first glance, but in fact is just an entry doorway to a very dubious work-at-home scheme. The domain is WhoisGuard protected, but there are several other crappy sites also hosted on 216.38.13.210 of a similar theme.

A tip - if you get a spam email like this, forward it to the web hosts at abuse -at- gigenet.com and perhaps this will be shut down.

All the sites try to hide their identity, but we can trace them back through their Google Analytics ID of UA-1504952 and AdSense ID of pub-286423930919881 to websitedesignbrisbane.org ("Jetstream Web Design + SEO") in Brisbane, Australia. I haven't been able to trace who is behind this company, and in fact it seems doubtful that there is a company at all.. but still, this seems to be the origin of the spam. The registration details for that domain are: